<b>NAME</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Nikto  - Web Server and CGI Scanner<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Version - 1.32<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
<b>SYNOPSIS</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;nikto [-h target] [options]<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
<b>WARNING</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Nikto is a tool for finding default web files and examing web server and CGI security.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;It makes a lot of reqeusts to the remote server, which in some cases may cause the server<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;to crash.  It may also be illegal to use this software against servers you do not have <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;permission to do test.<br>
<br>
<br>
<b>DESCRIPTION</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Nikto is designed to examine web servers and look for items in multiple categories:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- misconfigurations<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- default files and scripts<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- insecure files and scripts<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- outdated software<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;It uses Rain Forest Puppy's LibWhisker (wiretrip.net) for HTTP functionality, and can perform checks in <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;HTTP or HTTPS.  It also supports basic port scanning and will determine if a web server<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;is running on any open ports.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Nikto checks and code can be automatically udpated from the main distribution server by<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;using the 'update' option (see below) to ensure Nikto is checking the most recent vulnerabilities.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Nikto will also load user defined checks at startup if they are placed in a file named "user_scan_database.db" in<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;the plugins directory.  Unlike scan_database.db, this file will not be over-written if the -update option is used. This<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;should always be used if you add your own checks (and you should send those checks to sullo@cirt.net).<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Nikto leaves a footprint on a server it scans--both in an invalid 404 check and in the User-Agent header. This can<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;be changed by forcing the $NIKTO{fingerprint} and $NIKTO{useragent} to new values in the source code, OR, if any<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;IDS evasion (-e) option is used.  Note that it's pretty obvious when Nikto is scanning a server anyway--the large<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;number of invalid requests sticks out a lot in the server logs, although with an IDS evasion technique it might not<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;be extremely obvious that it was Nikto.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Why the name Nikto? See the movies The Day the Earth Stood Still" and, of course "Army of Darkness" for the answer. For<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;a full list of pop-culture references to this, see http://www.blather.net/archives2/issue2no21.html which has a lot of<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;good information.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
<b>OPTIONS</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;The options listed below are all optional except the -h target specification.  They can all be abbreviated<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;to the first letter (i.e., -m for -mutate), with the exception of -verbose and -debug.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -Cgidirs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Optionally force the CGI directories to scan. Valid values are 'none' to not check any, 'all' to force scan all<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;CGi directories (like the deprecated -allcgi), or a value to use as the CGI directory, i.e. '/cgi/'. <br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -cookies&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Print out the cookie names and values that were received during the scan.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -evasion <evasion method><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  IDS evasion techniques.  This enables the intrusion detection evasion in LibWhisker.  Multiple options<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  can be used by stringing the numbers together, i.e. to enable methods 1 and 5, use "-e 15".  The valid<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  options are (use the number preceeding each description):<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Random URI encoding (non-UTF8)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Add directory self-reference /./<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Premature URL ending<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Prepend long random string to request<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Fake parameters to files<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;TAB as request spacer instead of spaces<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Random case sensitivity<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Use Windows directory separator \ instead of /<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 9&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Session splicing<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;See the LibWhisker source for more information, or http://www.wiretrip.net/<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -findonly<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Use port scan to find valid HTTP and HTTPS ports only, but do not perform checks against them.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -Format<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Output format for the file specified with the -output option. Valid formats are:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;HTM - HTML output format.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;TXT - Text output format. This is the default if -F is not specified.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;CSV - Comma Seperated Value format.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -generic <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Force full scan rather than trusting the "Server:" identification string, as many servers allow this<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;to be changed.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -host <ip, hostname or file><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  Target host(s) to check against. This can be an IP address or hostname, or a file of IPs or hostnames.  <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  If this argument is a file, it should formatted as described below. This is the only required option.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -id <user:password:realm><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;HTTP Authentication use, format is userid:password for authorizing Nikto a web server realm. For NTLM<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;realms, format is id:password:realm.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -mutate <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Mutate checks. This causes Nikto put all files with all directories from the .db files and <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;can the host. You might find some oddities this way. Note that it generates a lot of checks.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -nolookup<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Don't perform a host name lookup.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -output <filename><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Write output to this file when complete.  Format is text unless specified via -Format.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -port <port number><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Port number to scan, defaults to port 80 if missing.  This can also be a range or list of ports, which<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Nikto will check for web servers.  If a web server is found, it will perform a full scan unless the<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-f option is used.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -root<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Always prepend this to requests, i.e., changes a request of "/password.txt" to "/directory/password.txt" <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(assuming the value passed on the CLI was "/directory")<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -ssl <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Force SSL mode on port(s) listed.  Note that Nikto attempts to determine if a port is HTTP or HTTPS <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;automatically, but this can be slow if the server fails to respond or is slow to respond to the <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;incorrect one. This sets SSL usage for *all* hosts and ports.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -timeout&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Timeout for each request, default is 10 seconds<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -useproxy<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Use the proxy defined in config.txt for all requests<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -vhost <ip or hostname><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Virtual host to use for the "Host:" header, in case it is different from the target.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -Version<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Print version numbers of Nikto, all plugins and all databases.<br>
<br>
   These options cannot be abbreviated to the first letter:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-dbcheck<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;This option will check the syntax of the checks in the scan_database.db and user_scan_database.db files. This<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;is really only useful if you are adding checks or are having problems.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -debug<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Print a huge amount of detail out. In most cases this is going to be more information than you need, so<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;try -verbose first.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-update<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;This will connect to cirt.net and download updated scan_database.db and plugin files. Use this with<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;caution as you are downloading files--perhaps including code--from an "untrusted" source. This option<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cannot be combined with any other, but required variables (like the PROXY settings) will be loaded<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;from the config.txt file.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  -verbose <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Print out a lot of extra data during a run. This can be useful if a scan or server is failing, or to see<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;exactly how a server responds to each request.<br>
<br>
<b>HOSTNAME FILE</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;If a file is specified with -h instead of a hostname or IP, Nikto will open the file to use it as a list of targets. The file<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;should be formatted with one host per line. If no port is specified, port 80 is assumed. Multiple ports may be specified per<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;host. If a host file is used, any ports specified via -p are added to every host. Valid lines would be:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.100.100.100<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.100.100.100:443<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.100.100.100,443<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.100.100.100:443:8443<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;10.100.100.100,443,8443<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;evilash.example.com,80<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(etc)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
<br>
<b>CONFIG FILE</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;The 'config.txt' file provides a means to set variables at run-time without modifying the Nikto source itself. The<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;options below can be set in the file. Options that accept multiple values (CGIDIRS, SKIPPORTS, etc.) should just use<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;a space to distinguish multiple values.  None of these are required unless you need them.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;CLIOPTS - Add any option here to be added to every Nikto execution, whether specified at the command line or not.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;NMAP - Path to nmap. If defined, Nikto will use nmap to port scan a host rather than PERL code, and so should be faster.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;SKIPPORTS - Port number never to scan (so you don't crash services, perhaps?).<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;PROXYHOST - Server to use as a proxy, either IP or hostname, no 'http://' needed.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;PROXYPORT - Port number that PROXYHOST uses as a proxy.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;PROXYUSER - If the PROXYHOST requires authentication, use this ID. Nikto will prompt for it if this is not set & it is needed.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;PROXYPASS - If the PROXYHOST requires a password for PROXYUSER, use this password.  Nikto will prompt for it if this is not set & it is needed.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;PLUGINDIR - If Nikto can't find it's plugin directory for some reason, enter the full path and the problem is solved.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;UPDATES   - Turns data push to cirt.net on. Please see the CIRT.NET UPDATES section for details.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;MAX_WARN  - If the number of OK or MOVED messages reaches this number, a warning will printed.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;PROMPTS   - If set to "no", Nikto will *never* prompt for anything--proxy auth, updates, nothing...<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DEFAULTHTTPVER - First try this HTTP method. If this fails, Nikto will attempt to find a valid one. Useful if you want try something non-standard.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;STATIC-COOKIE  - The name/value of this cookie, if set, will be sent for every request (useful for auth cookies).<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Variables that start with the 'at' sign (@) will be used when scan rules are loaded. For each value (seperated by space), the rule<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;will be duplicated. See the TEST DATABASES section for more information.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Predefined variables are:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@CGIDIRS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- CGI directories to look for, valid ones (or all) will be used for CGI checks against the remote host.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@MUTATEDIRS  - Additional directories to use when operating under the Mutate mode besides ones already defined the .db files.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@MUTATEFILES - Additional files to use when operating under the Mutate mode besides ones already defined the .db files.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@ADMINDIRS   - Typical administration directories.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;@USERS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  - Typical user names for the user guessing plugins.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
<b>CIRT.NET UPDATES</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;In order to help keep the Nikto databases up-to-date, you have the ability to easily submit some updates back to cirt.net for inclusion<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;in new copies of the databases.  Currently, this only includes software versions (such as "Apache/7.0.3"). If Nikto scans a host and sees a <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;newer version on the host than it has in the database, or it is missing entirely, (and your databases are fairly recent), this information can<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;be automatically (or manually) sent back to cirt.net.  <br>
    <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Behaviour of this option is controlled in config.txt through the UPDATES variable. If UPDATES is set to "no", Nikto will<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;not send or ask about sending values to cirt.net. If set to "auto", it will automatically send the data through an HTTP request. If set to "yes"<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(which is the default), when there are updates it will ask if you would like to submit and show you the data (unless PROMPTS=no).<br>
    <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;There is only one thing submitted to cirt.net when you do this: the "updated" version string.  No information specific to the host tested is sent.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;No information from the scanning source is sent (it does log your IP address as seen by cirt.net's web server, but... nothing else). <br>
    <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;If you're not comfortable with this, you may also email it to me at sullo@cirt.net or just set UPDATES=no. Please don't complain and say I'm <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;stealing your data... just trying to save me some work ;)<br>
    <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Again: the default configuration of Nikto does *not* send *any* data to cirt.net.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
<b>TEST DATABASES</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Rules in the scan databases can use dynamic variables from config.txt. Any variable that starts with the 'at' sign (@)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;will be substited in rules. For example:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;A rule of "generic","@CGIDIRStest.html","200","GET","Test" with "@CGIDIRS=/cgi-bin/ /cgi-sys/" will test for:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/cgi-bin/test.html<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/cgi-sys/test.html<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Any number of these variables can be set, and any number can be used in a rule (i.e., "@CGIDIRS@ADMINDIRStest.html").<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Additionally, the generic @HOSTNAME and @IP are available, which use the current target's hostname or IP.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Rules can be specified which also have conditionals for test success. This can allow a test to look for a 200 HTTP response<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;but not contain the word "home". This would look like "200!home" in the scan_database.db file.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
<b>EXAMPLES</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;A basic scan of a web server on port 80. The -h option is the only option that is required for a basic scan of a web<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;server on the standard HTTP port.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;nikto.pl -h 10.100.100.10<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;A basic scan of a web server on port 443, forcing SSL encryption and ignoring the Server header.  Note that Nikto does<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;not assume port 443 to be SSL, but if HTTP fails it will try HTTPS.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;nikto.pl -h 10.100.100.10 -p 443 -s -g<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Scanning multiple ports on the server, letting Nikto determine if they are HTTP and SSL encrypted.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;nikto.pl -h 10.100.100.10 -p 80-90 <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Scanning specific ports on the system.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;nikto.pl -h 10.100.100.10 -p 80,443,8000,8080<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;You may combine IDS evasion techniques as desired.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;nikto.pl -h 10.100.100.10 -p 80 -e 167<br>
<br>
<br>
<b>IMPORTANT FILES</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;config.txt  - run-time configuration options, see the CONFIG FILE section<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;nikto_core.plugin - main Nikto code, absolutely required<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;nikto_plugin_order.txt - determines the order in which plugins are executed<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;LW.pm - The stand-alone LibWhisker file.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;user_scan_database.db - If it exists in the plugins directory, it will load these checks as well. Same syntax as scan_database.db<br>
<br>
<br>
<b>ADDITIONAL SOFTWARE</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;LibWhisker is required for proper execution of Nikto. The LW.pm library is included with Nikto, but it is recommended<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;that you download and install the full LibWhisker module from http://www.wiretrip.net/. If you are not using an installed<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Libwhisker, you will need to change Nikto.pl so that it includes the proper LW.pm file.  Edit Nikto.pl and comment the line:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;use LW;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;and uncomment the line below it:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;require "./plugins/LW.pm";<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;nmap can be used to speed up port scans. This should be much faster than relying on PERL code to perform port scans. Nmap can<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;be obtained from http://www.nmap.org/, it is not included with Nikto.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;SSL software is required to test using HTTPS.  For Windows systems, the SSL software and libraries can be obtained from<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;http://www.activestate.com/.  For unix systems, OpenSSL from http://www.openssl.org/ and the Net::SSLeay module from<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;http://www.cpan.org/ are required.<br>
<br>
<b>CHECKS</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Checks, both information and actual security problems, are derived from a number of sources. These include the mailing lists<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;BugTraq, NTBugTraq, WebAppSec (WWW-Mobile-Code), and others. The web sites www.securitytracker.com, www.securiteam.com, <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;www.packetstormsecurity.com and www.securityfocus.com.  Additionally, updates to Nessus are watched and many thanks to<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;all the plugin writers (and to Renaud for Nessus itself) (http://www.nessus.org/).<br>
<br>
<b>WARNINGS</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Nikto can cause harm to your local system, the remote system and/or the network.  Some options can generate over 70,000 <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;HTTP requests to a target. Do not run Nikto againsts hosts you are not authorized to perform testing against. Cirt.net<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;takes no responsibility for anything done with this software, any problems it may cause or problems it may find.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Plugins are standard PERL.  They are included and executed when Nikto is run. If you run the -update option, new and<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;updated plugins will be downloaded from cirt.net. This means you are downloading code, and potentially running it, <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;without viewing it yourself.  Please consider the implications.  Do not assume code distributed from Cirt.net is not<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;harmful, as accidents happen and a malicious third party may have inserted a dangerous plugin. Cirt.net assumes no <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;responsibility if any malicious code is delivered via the -update option.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
<br>
<b>DISTRIBUTION</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Nikto and updated databases and plugins is distributed from http://www.cirt.net/<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
<b>SEE ALSO</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;LibWhisker - http://www.wiretrip.net/<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Nmap - http://www.nmap.org/<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;OpenSSL - http://www.openssl.org/<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;CPAN - http://www.cpan.org/<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ActiveState - http://www.activestate.com/<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Nessus - http://www.nessus.org/<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
<b>LICENSE</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;This copyright applies to all code included in this distribution, but does not include the LibWhisker software, which is<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;distributed under its own license.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Copyright (C) 2001-2003 Sullo/CIRT.net<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;as published by the Free Software Foundation; either version 2  of the License, or (at your option) any later version.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.<br>
<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;You should have received a copy of the GNU General Public License along with this program; if not, write to the <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Contact Information: See the AUTHOR section.<br>
<br>
<br>
<b>AUTHOR</b><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Sullo, sullo@cirt.net<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;http://www.cirt.net/<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Suggestions/fixes/support from: Jericho/attrition.org, rfp/wiretrip.net, Zel/firewallmonkeys.com, Zeno/cgisecurity.com, <br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Darby/cirt.net, Valdez/cirt.net, S Saady, P Eronen/nixu.com, M Arboi, T Seyrat, J DePriest, P Woroshow, fr0stman, E Udassin,<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;H Heimann and more<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Many tests and contributed/suggested by: M Richardson, Jericho/attrition.org, Prickley Paw, M Arboi, H Heimann and more<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;And Xiola.net for succeeding where everyone else has failed.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
